xiaowuhello
过程的最后不要选择重启
6) 安装Zend Optimizer
# cd /usr/local/src
# tar xzvf ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz
# ./ZendOptimizer-3.3.3-linux-glibc23-i386/install.sh
安装Zend Optimizer过程的最后不要选择重启Apache。
2. 整合Apache与PHP及系统初化配置.
1)整合Apache与PHP
# vi /usr/local/apache2/conf/httpd.conf
找到:
AddType application/x-gzip .gz .tgz
在该行下面添加
AddType application/x-httpd-php .php
找到:
<IfModule dir_module>
DirectoryIndex index.html
< /IfModule>
将该行改为
<IfModule dir_module>
DirectoryIndex index.html index.htm index.php
< /IfModule>
找到:
#Include conf/extra/httpd-mpm.conf
#Include conf/extra/httpd-info.conf
#Include conf/extra/httpd-vhosts.conf (虚拟主机配置文件存放目录.)
#Include conf/extra/httpd-default.conf
去掉前面的“#”号,取消注释。
注意:以上 4 个扩展配置文件中的设置请按照相关原则进行合理配置!
修改完成后保存退出。
# /usr/local/apache2/bin/apachectl restart
2)查看确认L.A.M.P环境信息、提升 PHP 安全性
在网站根目录放置 info.php 脚本,检查phpinfo中的各项信息是否正确。
< ?php
phpinfo();
?>
确认 PHP 能够正常工作后,在 php.ini 中进行设置提升 PHP 安全性,禁掉危险的函数.
# vi /etc/php.ini找到:disable_functions =设置为:phpinfo,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server
3)脚本自动完成初始化配置(以上配置可以用脚本自动化完成)
#cat init_apache_php.sh
-------------------cut begin-------------------------------------------
#!/bin/bash
#Written by :NetSeek http://www.linuxtone.org
#init_httpd.conf
http_cf="/usr/local/apache2/conf/httpd.conf"
sed -i -e "s/User daemon/User www/" -i -e "s/Group daemon/Group www/" $http_cf
sed -i -e '121 s/^/#/' -i -e '122 s/^/#/' $http_cf
sed -i 's#DirectoryIndex index.html# DirectoryIndex index.php index.html index.htm#/g' $http_cf
sed -i -e '374 s/^#//g' -i -e '389 s/^#//g' -i -e '392 s/^#//g' -i -e '401 s/^#//g' $http_cf
#init_php(PHP安全设置及隐藏PHP版本)
php_cf="/usr/local/php/etc/php.ini"
sed -i '205 s#;open_basedir =#open_basedir = /data/www/wwwroot:/tmp#g' $php_cf
sed -i '210 s#disable_functions =#disable_functions = phpinfo,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server#g' $php_cf
sed -i '/expose_php/s/On/Off/' $php_cf
sed -i '/display_errors/s/On/Off/' $php_cf
-------------------cut end-------------------------------------------
三、配置虚拟主机及基本性能调优
1) 配置虚拟主机:
#vi /usr/local/apache2/conf/extra/httpd-vhosts.conf
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin cnseek@gmail.com
DocumentRoot "/data/www/wwwroot/linuxtone.org"
ServerName www.linuxtone.org
ServerAlias bbs.linxutone.org
ErrorLog "logs/dummy-host.example.com-error_log"
CustomLog "|/usr/sbin/cronolog /data/logs/access_www.linuxtone.org.%Y%m%d" combined
< /VirtualHost>
2).基本性能调优参考
#vi /usr/local/apache2/conf/extra/httpd-default.conf
Timeout 15
KeepAlive Off
MaxKeepAliveRequests 50
KeepAliveTimeout 5
UseCanonicalName Off
AccessFileName .htaccess
ServerTokens Prod
ServerSignature Off
HostnameLookups Off
#vi /usr/local/apache2/conf/extra/httpd-mpm.conf
<IfModule mpm_prefork_module>
ServerLimit 2000
StartServers 10
MinSpareServers 10
MaxSpareServers 15
MaxClients 2000
MaxRequestsPerChild 10000
</IfModule>
3).Apache日志处理
忽略不需要的日志配置参考具体请据据具体问题分析:
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
#下面加入如下内容:
# filter the localhost visit
SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
# filter some special directories
SetEnvIf Request_URI "^ZendPlatform.* 
  • # filter the localhost visit
  • SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
  • # filter some special directories
  • SetEnvIf Request_URI "^ZendPlatform.*[ DISCUZ_CODE_9 ]quot; dontlog
  • SetEnvIf Request_URI \.healthcheck\.html$ dontlog
  • SetEnvIf Remote_Addr "::1" dontlog
  • SetEnvIf Request_URI "\.getPing.php[ DISCUZ_CODE_9 ]quot; dontlog
  • SetEnvIf Request_URI "^/error\.html[ DISCUZ_CODE_9 ]quot; dontlog
  • SetEnvIf Request_URI "\.gif[ DISCUZ_CODE_9 ]quot; dontlog
  • SetEnvIf Request_URI "\.jpg[ DISCUZ_CODE_9 ]quot; dontlog
  • SetEnvIf Request_URI "\.css[ DISCUZ_CODE_9 ]quot; dontlog
  • quot; dontlog
  • SetEnvIf Request_URI \.healthcheck\.html$ dontlog
  • SetEnvIf Remote_Addr "::1" dontlog
  • SetEnvIf Request_URI "\.getPing.php[ DISCUZ_CODE_9 ]quot; dontlog
  • SetEnvIf Request_URI "^/error\.html[ DISCUZ_CODE_9 ]quot; dontlog
  • SetEnvIf Request_URI "\.gif[ DISCUZ_CODE_9 ]quot; dontlog
  • SetEnvIf Request_URI "\.jpg[ DISCUZ_CODE_9 ]quot; dontlog
  • SetEnvIf Request_URI "\.css[ DISCUZ_CODE_9 ]quot; dontlog
复制代码
4). Apache防盗链
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ http://网站域名/nolink.png [R,L]
四、基本安全设置
1)iptables 封锁相关端口(推荐读CU白金大哥的两小时玩转iptables)
2)SSH全安(修改SSH端口限制来源IP登陆)
3)Linux防Arp攻击策略
4)注意(还是那句老话:安全工作从细节做起!)